CVE-2026-27655
Received Received - Intake
Stored XSS in ManageEngine Exchange Reporter Plus Mailbox Report

Publication date: 2026-04-03

Last updated on: 2026-04-03

Assigner: ManageEngine

Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27655
EUVD
EUVD-2026-18631
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus to 5.8 (exc)
zohocorp manageengine_exchange_reporter_plus 5.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27655 is a stored Cross-Site Scripting (XSS) vulnerability found in the ManageEngine Exchange Reporter Plus software, specifically in the "Permissions Based on Mailboxes" report within the Reports module.

This vulnerability affects versions 5801 and earlier of Exchange Reporter Plus. An authenticated attacker with Exchange administrative privileges can exploit this flaw by injecting malicious scripts into the report.

When other users access the compromised report, the malicious scripts execute under their privileges, potentially allowing unauthorized actions within the Exchange environment.

The issue was fixed in version 5802 by implementing proper input validation to prevent script injection.

Impact Analysis

This vulnerability can lead to unauthorized operations within your Exchange environment.

An attacker with Exchange administrative privileges can inject malicious scripts into mailbox permission reports, which execute when viewed by other users.

This could allow the attacker to perform actions on behalf of other users, potentially compromising sensitive data or altering configurations.

Because the vulnerability involves stored XSS, it can persist and affect multiple users who access the affected report.

Mitigation Strategies

To mitigate the CVE-2026-27655 vulnerability, users should update their Exchange Reporter Plus installations to version 5802 or later, as this version includes a fix that implements proper input validation to prevent script injection.

If updating immediately is not possible, users should restrict access to the "Permissions Based on Mailboxes" report to trusted administrators only, as exploitation requires authenticated Exchange administrative privileges.

For further assistance with updating or mitigation, contacting product support or the security team is recommended.

Compliance Impact

The provided information does not specify how the stored XSS vulnerability in ManageEngine Exchange Reporter Plus directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27655. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart